Last Updated on July 19, 2025 by Arnaud Collignon

What is “digital operational resilience” in the financial sector?

Digital operational resilience refers to a financial entity’s comprehensive ability to build, assure, and review its operational integrity and reliability. This involves ensuring a full range of ICT (Information and Communication Technology)-related capabilities to manage the security of network and information systems. The goal is to support the continuous provision of financial services and maintain their quality, even in the face of disruptions caused by cyber threats or ICT failures. It encompasses the protection, detection, containment, recovery, and repair capabilities against ICT-related incidents.

Why is this regulation necessary for the financial sector?

The regulation is crucial due to the increasing digitalization and interconnectedness of the financial sector, which amplify ICT risks and cyber threats. Localized cyber incidents can quickly spread across the entire financial system, unhindered by geographical boundaries, potentially causing systemic vulnerabilities, liquidity runs, and a loss of public confidence. Existing regulations were largely focused on financial resilience (e.g., credit, market risk) rather than comprehensively addressing all components of operational resilience, including ICT security. This regulation aims to harmonize disparate national approaches, fill regulatory gaps, remove overlaps, and establish a consistent, comprehensive framework for managing ICT risk across the EU financial sector to ensure stability and market integrity.

What are the key areas addressed by this regulation for financial entities?

The regulation lays down uniform requirements for financial entities across several key areas to enhance digital operational resilience:

ICT Risk Management: Establishing a sound, comprehensive, and well-documented framework to identify, protect, detect, respond to, and recover from ICT risks.
Incident Reporting: Harmonized reporting of major ICT-related incidents and, on a voluntary basis, significant cyber threats to competent authorities through a single streamlined framework.
Digital Operational Resilience Testing: Implementing a comprehensive testing program, including basic assessments (e.g., vulnerability scans) and advanced threat-led penetration testing (TLPT) for larger entities, to identify and address vulnerabilities.
Information Sharing: Encouraging and facilitating the voluntary exchange of cyber threat information and intelligence among financial entities within trusted communities to enhance collective defense.
ICT Third-Party Risk Management: Setting out principles and contractual requirements for managing risks associated with ICT services provided by third parties, especially for critical or important functions, including concentration risk.

How does the regulation distinguish between different types of financial entities in terms of requirements?

The regulation applies the principle of proportionality, meaning that requirements are scaled based on a financial entity’s size, overall risk profile, and the nature, scale, and complexity of its services, activities, and operations.

Microenterprises benefit from a more flexible regime and are subject to a simplified ICT risk management framework. They have fewer obligations regarding complex governance arrangements, dedicated risk management functions, internal audits, and are exempted from advanced threat-led penetration testing. They can also delegate certain access, inspection, and audit rights to an independent third party appointed by their ICT third-party service provider.
Larger Financial Entities (other than microenterprises and those subject to simplified frameworks) are required to establish more complex governance structures, including dedicated management functions, follow a three lines of defense model for ICT risk management, conduct regular internal audits of their ICT risk management framework, and perform advanced threat-led penetration testing.

What is the “Oversight Framework” for critical ICT third-party service providers?

The Oversight Framework is a Union-level mechanism established to continuously monitor the activities of ICT third-party service providers deemed critical to financial entities. This framework is crucial because widespread reliance on a limited number of critical ICT service providers creates systemic risk for the Union’s financial system. The framework involves:

Designation of Critical Providers: ICT third-party service providers are designated as critical based on criteria like systemic impact on financial services, importance of relying financial entities, reliance on the provider for critical functions, and substitutability.
Lead Overseer: One of the European Supervisory Authorities (ESAs – EBA, ESMA, or EIOPA) is appointed as the Lead Overseer for each critical ICT third-party service provider.
Oversight Forum: A sub-committee established by the Joint Committee of the ESAs to support oversight activities, discuss ICT risks, promote consistent approaches, and identify best practices for addressing ICT concentration risk.
Powers of the Lead Overseer: The Lead Overseer has powers to request information, conduct investigations and inspections, and issue recommendations to critical ICT third-party service providers to ensure their operational resilience.
Union Presence Requirement: Critical ICT third-party service providers established in third countries are required to establish a subsidiary in the Union to ensure enforceability of oversight powers.

How does the regulation address the financial sector’s reliance on third-party ICT service providers?

The regulation emphasizes a sound management of ICT third-party risk as an integral part of a financial entity’s overall ICT risk management framework. Key aspects include:

Full Responsibility: Financial entities remain fully responsible for compliance with the regulation, even when outsourcing ICT services.
Strategy and Register: Larger financial entities must adopt a strategy on ICT third-party risk and maintain a register of information for all contractual arrangements with ICT third-party service providers, distinguishing between critical/important functions and others.
Due Diligence: Before contracting, financial entities must assess the criticality of the service, potential concentration risks, and undertake due diligence on prospective providers, ensuring they meet appropriate information security standards.
Contractual Provisions: Contracts for ICT services, especially for critical or important functions, must include specific provisions on service descriptions, data protection, data recovery, assistance in incidents, cooperation with authorities, termination rights, and audit/inspection rights.
Exit Strategies: Financial entities must have comprehensive, documented, and tested exit strategies for critical or important functions to ensure continuity of business activities and compliance in case of provider failure or contract termination.

What is the role of the management body in ensuring digital operational resilience?

The management body of a financial entity holds ultimate responsibility for defining, approving, overseeing, and implementing the entire ICT risk management framework and digital operational resilience strategy. Their responsibilities include:

Bearing ultimate responsibility for ICT risk management.
Approving the digital operational resilience strategy, including risk tolerance levels and information security objectives.
Overseeing and periodically reviewing ICT business continuity policies and response/recovery plans.
Approving and reviewing ICT internal audit plans.
Allocating appropriate budget for digital operational resilience, including training and ICT skills.
Approving and reviewing policies on the use of ICT services from third-party providers.
Staying informed on ICT-related incidents, their impact, and remediation measures.
Actively keeping up-to-date with sufficient knowledge and skills to understand and assess ICT risk.

How does the regulation encourage information sharing on cyber threats?

The regulation actively encourages financial entities to voluntarily exchange cyber threat information and intelligence among themselves. This sharing, including indicators of compromise, tactics, techniques, and procedures, is intended to:

Enhance the digital operational resilience of financial entities.
Increase awareness of cyber threats.
Limit the spread of cyber threats.
Support defense capabilities and threat detection techniques.
Aid in mitigation strategies and response/recovery efforts.

Such information sharing must occur within trusted communities, protect the sensitive nature of the information, and adhere to rules of conduct that respect business confidentiality, data protection regulations (like GDPR), and competition policy guidelines. Financial entities are required to notify competent authorities of their participation in these arrangements.

What is “digital operational resilience” in the financial sector?

Why is this regulation necessary for the financial sector?

What are the key areas addressed by this regulation for financial entities?

How does the regulation distinguish between different types of financial entities in terms of requirements?

What is the “Oversight Framework” for critical ICT third-party service providers?

How does the regulation address the financial sector’s reliance on third-party ICT service providers?

What is the role of the management body in ensuring digital operational resilience?

How does the regulation encourage information sharing on cyber threats?

You Might Also Like

CSSF: The CSSF issues the new FAQ on Circular CSSF 24/856 concerning the protection of investors in case of an NAV calculation error, an instance of non-compliance with the investment rules and other errors at UCI level

CSSF: Processing time of initial authorisations of regulated investment vehicles

CSSF: FAQ regarding the AML/CFT Market Entry Form (Funds and IFMs) (Updated)